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PATENT APPLICATION 

CRYPTOGRAPHY FOR SECURE DYNAMIC GROUP 
COMMUNICATIONS 

CROSS REFERENCE TO RELATED APPLICATIONS 

[0001] This application claims benefit of priority to United States provisional 
patent application 60/526301, "Cryptography for secure dynamic group 
communications: method, apparatus, and signal", filed 12/1/2003 and United States 
patent application / entitled "Cryptography for secure dynamic group 

communications", filed 11/30/2004. 

STATEMENT REGARDING FEDERAL FUNDING 

[0002] This invention was made with U.S. Government support under Contract 
Number DR-AC03-76SF00098 between the U.S. Department of Energy and The 
Regents of the University of California for the management and operation of the 
Lawrence Berkeley National Laboratory. Hie U.S. Government has certain rights in 
this invention. 

REFERENCE TO A COMPUTER PROGRAM 

[0003] Not Applicable. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

[0004] The present invention relates to provably secure communications, and 
more particularly relates to secure communications among dynamic groups. 

2. Description of the relevant art 

[0005] US patent 5,241,599 discloses a method which permits computer users to 
authenticate themselves to a computer system without requiring that the computer 
system keep confidential the password files used to authenticate the respective user's 
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identities. The 5,440,635 invention is useful in that it prevents a compromised 
password file from being leveraged by crafty hackers to penetrate the computer 
system. 

[0006] US patent 5,440,635 discloses a cryptographic communication system, 
which employs a combination of public and private key cryptography, allowing two 
players, who share only a relatively insecure password, to bootstrap a computationally 
secure cryptographic system over an insecure network. The 5,440,635 system is 
secure against active and passive attacks, and has the property that the password is 
protected against offline "dictionary" attacks. 

[0007} US patent 6,226,383 discloses a cryptographic method, where two players 
use a small shared secret (S) to mutually authenticate one another other over an 
insecure network. The 6,226383 methods are secure against off-line dictionary attack 
and incorporate an otherwise unauthenticated public key distribution system.. 

[0008] One major difficulty with the preceding patents, and other representative 
technology, is that none of them scale very well to groups of more than two players 
intercommunicating with a secure encrypted method which is provably secure. 

[0009] Publication "Group Diffie-Hellman Key Exchange Secure Against 
Dictionary Attacks" by Bresson, Chevassut, and Pointcheval, discloses a 
cryptographic communication system, which may be secure against "dictionary" 
attacks. 

[0010] Publication "Mutual Authentication and Group Key Exchange for Low- 
Power Mobile Devices" by Bresson, Chevassut, Essiari, and Pointcheval, discloses a 
cryptographic communication system for low computational power devices. 

[001 1] The mathematic field of algebraic groups contains several terms in 
colloquial use that are used in this patent application. Such terms are "Finite Group", 
"Cyclic Group", "Group Order", ^Gioup", "Abelian Group", and 'Identity Element". 
These terms are used to describe the mathematics behind the concept of a finite group 
or afinite cyclic group with prime generator "g". 
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BRIEF SUMMARY OF THE INVENTION 

[0012] This invention provides for a method for generating a cryptographic key 
by a player in a dynamic group, the method comprising: receiving, by a player \J P in a 
dynamic group with a first player Uj and a last player U*, where p>l , a previous 
upflow FIpj from a previous player U^j in the dynamic group; player U p selecting a 
random value x p , and a random value v p ; and player U p sending an outflow Flp , 
comprising information based on the random value Xp , the random value v p , and the 
previous upflow FI^; » The first player Uj may be a process on a computer that seeks 
to initiate a dynamic group, that in turn communicates with U 2 who may be either a 
user on the same computer, or another process on the same computer. In this instance, 
the last player, U„ would be a third or greater player. Dynamic groups of players may 
variously have size ranges from 1-2, 1-3, 3-20, 1-100, 1-1000 or more. Specifically, 
dynamic groups may initiate with 3 or more players, with subsequent departure of 
players, resulting in a dynamic group of 2 players. Similarly, dynamic groups may 
initiate with a single player, increasing to a dynamic group of 2 players may 
subsequently increase or decrease in number. 

[0013] The method for generating a cryptographic key by a player in the dynamic 
group of paragraph [0012] , may further comprise: for a first player U; in the dynamic 
group: player Up selecting a random value xj , and a random value Vj ; setting an 
initial upflow Flj comprising information based on the random value xi , die random 
value V; , and "g", a generator of a finite cyclic group where a computational solution 
to a Diffie-Hellman problem is hard 

[00 1 4] In the method for generating a cryptographic key by a player in the 
dynamic group of paragraph [0013] , the sending step may further comprise: when 
player Up is not the last player in the dynamic group, then : player JJ P sending an 
upflow Fl p to a subsequent player U^j in the dynamic group, the upflow Fl p 
comprising the outflow Fl^ when player U p is the last player in the dynamic group, 
then: player U p sending a downflow Fl„ to all other players in the dynamic group, the 
downflow Fin comprising the outflow Flp. 

[0015] In the method for generating a cryptographic key by a player in the 
dynamic group above, one or more players may be deleted by steps comprising: 
forming a set of L players, JJl , leaving the dynamic group; forming a set of R players, 
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Ur , remaining in the dynamic group; choosing a controller Uc from the remaining set 
of R players Ur ; inputting, by controller Uc , the downflow f% , where the downflow 
Fl n has one entry associated with each player in the dynamic group; and sending a 
controller Uc downflow signal Fl^, , comprising: controller Uc sending the controller 
downflow Fl^ based upon a random value a random value vc, and the downflow 
signal Fl« , where each entry associated with the set of L players Ul leaving in the 
downflow signal R* has been deleted 

[0016] In the method for generating a cryptographic key by aplayer in the 
dynamic group above, one ore more players may be added by steps comprising: 
forming a set of J players to form a larger dynamic gropuUf, ... U m U n+ i, ~.,U n+ jb 

U^j, where J < k £ J; sending an upflow FI n+ * from each player U n+ jt, to 
player U n +*+/, where 7 £ k < J-l, said upflow Fl n+ * based upon a random 
value Xn+k , a random value v n+ * , and the upflow Fl n +t-i received from player U^ w ; 
and sending a downflow Fl n + / by player U n +j , based upon a random value x n +j > a 
random value v„+/ , and the upflow R»+/.j. 

[0017] In die method for generating a cryptographic key by a player in the 
dynamic group above, all players may be refreshed with a new cryptographic key by 
steps comprising: choosing a refresher U r from die dynamic group U/, ... U n ; 
inputting, by refresher Ur, the downflow R» , where the downflow R n has one entry 
associated with each player in the dynamic group ; and sending, by refresher U r , a 
refresher U r downflow Ff r based upon a random value * r , a random value v r , and the 
downflow signal FI^. 

[0018] In the methods above for generating a cryptographic key wherein said 
upflows may be encrypted with a first encryption method. Alternatively, the 
downflows may be encrypted with a second encryption method, or still, both upflows 
and downflows may be encrypted with a single encryption method. Outflows may 
also be encrypted by either the first, second, or an entirely different encryption 
method. Any of these encryption methods may be based on symmetric-key, elliptic 
curve symmetric-key, or public key encryption methods. 
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BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS 


[0019] The invention will be more fully understood by reference to the following 
drawings, which are for illustrative purposes only: 

[0020] Fig* 1 A is a schematic of the flows involved in a secure dynamic group of 
four players. 

[0021] Fig. IB is a schematic of the flows involved in a secure dynamic group of 
four players where player two has been deleted, and player four has been designated 
as the group controller. 

[0022] Fig. 1C is a schematic of the flows involved in a secure dynamic group of 
four players where player two has been deleted, and player three has been designated 
as the group controller. 

[0023] Fig. 2A is a schematic of the flows involved in a secure dynamic group of 
two players. 

[0024] Fig. 2B is a schematic of the flows involved in a secure dynamic group of 
two players adding another two players. 

[0025] Fig. 3 is a schematic of three secure dynamic groups in communication 
through players who are members of two of the groups. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Definitions 

[0026] "Computer* means any device capable of performing the steps, methods, 
or producing signals as described herein, including but not limited to: a 
microprocessor, a microcontroller, a digital state machine, a field programmable gate 
array (FGPA), a digital signal processor, a collocated integrated memory system with 
microprocessor and analog or digital output device, a distributed memory system with 
microprocessor and analog or digital output device connected by digital or analog 
signal protocols. 

[0027] "Computer readable media" means any source of organized information 
that may be processed by a computer to perform the steps described herein to result 
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in, store, perform logical operations upon, or transmit, a flow or a signal flow, 
including but not limited to: random access memory (RAM), read only memory 
(ROM), a magnetically readable storage system; optically readable storage media 
such as punch cards or printed matter readable by direct methods or methods of 
optical character recognition; other optical storage media such as a compact disc 
(CD), a digital versatile disc (DVD), a rewritable CD and/or DVD; electrically 
readable media such as programmable read only memories (PROMs), electrically 
erasable programmable read only memories (EEPROMs), field programmable gate 
arrays (FGPAs), flash random access memory (flash RAM); and information 
transmitted by electromagaetic or optical methods including, but not limited to, 
wireless transmission, copper wires, and optical fibers. 

[0028] "Player* * means any person using, or any computer process residing, on a 
client or server computer. Multiple players may reside on the same or different 
computers, and multiple instances of a control process or person may be so 
designated 

[0029] "Dynamic fimnp" means a collection of players communicating together, 
where one or more players may be added or deleted singly or in subgroups . 

[0030] ' "Finite Group" means a group of finite order n defined by an element g , 
the group generator, and its n powers, up to g n ~ /, where / is the identity 
element Further details regarding group theory, finite, and finite cyclic groups, may 
be obtained in mathematical treatises on algebraic group theory. 

Secure Group Encryption Setup 

[0031] One aspect of this invention is a secure group setup protocol In this 
aspect, an initial static group of players desire to exchange a cryptographic key using 
a group password pw 9 which is known to all players. Initially, a base "g" is chosen, 
where "g" is a generator of a finite cyclic group. Generator "g" is additionally a high 
order prime number chosen so as to make a solution of die Diffie-Hellman problem 
computationally hard 

[0032] A plurality of players Ui, ...U/, ..^Urt, where i £ / £ n are 
defined to be players U/ of the n players comprising a secure group. 
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[0033] The secure group is set up in the following manner. A first player, XJj , 
uses a generator "g", selects a random value xu and a random value Vj . Player Ui then 
sends an initial upflow signal Fl j from player U; to player U2, where the initial upflow 
signal Flj is based npon generator "g", the random valuer, and the random value vj . 

[0034] Similarly, for player U 2 through player U R _j , each player U/ selects a 
random value and a random value Vj . Player U/ then sends an upflow signal Fl/ 
from player Uf to player U/+/ . The upflow signal Fl/ includes information based upon 
the preceding player UjLi upflow FIjl;, the random value/;, and the random value vj . 

[0035] la a functionally equivalent manner, the preceding method describing the 
steps from player U2 to player U^j may instead be taken as though from player Uj 
through player j by the simple expedient of setting Flo to be the generator "g". 

[0036] The final player, U A , takes as an input the preceding player U n -i upflow 
Fta . Player U„ selects a random value and a random value v„. Player U n then 
broadcasts a downflow signal Fl* to the remaining players (also known as a multicast 
when substantially simultaneously broadcast to multiple players) in the plurality of 
players Uj . . . U»-j . Downflow signal Fl„ includes information based upon the 
preceding player U^i upflow Fl»-;, the random valuer and the random value v n . 

[0037] Once a player U/has received the downflow signal Fl„, player U/may 
calculate a cryptographic key for use in secure group communications based on the 
downflow signal Fl n , and its previously selected random value % - At this point, 
player Uf may be thought of as having connected to the group. 

[0038] In the description above, the upflows may be unencrypted, encrypted by a 
first encryption method, or indeed encrypted with a different encryption method 
between each successive player JJj to TJj+j . Similarly, the downflow may be encrypted 
with a second encryption method, the same first encryption method, or indeed no 
encryption whatsoever. At this time, the literature has shown proof of security where 
the upflows and downflow are protected by encryption methods. Examples of such 
encryption methods include, but are not limited to, the Diffie-Hellman key exchange 
method, elliptic curve-based Diffie-Hellman methods, public key encryption methods, 
etc. 
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Detailed Description of the Flows 

[0039] Each flow sent from a player Uj is dependent on the incoming upflow U/j, 
and the two selected random values # and Vj, with the understanding that Flo is 
comprised of generator "g". Table 1 below demonstrates this previous player 
dependency for a simple example case of four players: 

Table 1. Flows Associated With Four Players 


Flo 

g 




Fli 





Ffe 





Fb 


gWWWTs 


gWwria 

FU 





Term-* 

Pi 

p 2 

P* 

$4 


\ 

[0040] In Table 1 above, each term pi ... p* in each flow is a single-valued 
number evaluated by exponentiation of die generator "g" as indicated. Thus, Flj can 
be seen to have four numbers. Each of the players Ui ... II* may have the downflow 
Fit sent to them in either a sequential or a multicast manner. Additionally, may 
also send the downflow FL* to itself should that be advantageous. 

[004 1] Each of the players U* at this point has available to it a term p* in the 
downflow FU corresponding to player U*, as well as its previously selected random 
value x* A cryptographic key is generated by raising the term p* corresponding to the 
player U* in the downflow to the power/*. 

[0042] As an example, stiHrefening to Table 1 above, player Ui has term pi in 
the downflow of g*********** , notably without any %i exponent By raising p 2 to the# 

power, we obtain (g^^os** )* , or more simply g^w****** , which is the 
cryptographic key for player Ui, and indeed, all of the other players Ui ... U* . Thus, 
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all players have the same cryptographic key, and may commence communications 
with the key using Data Encryption Standard (DBS), Advanced Encryption Standard 
(AES), or other encryption method, based upon the cryptographic key. From the 
cryptographic key gVtwaxaa* ^ a session key may be calculated 

[0043] Refer now to Figure 1 A, which depicts the setup phase of the four players 
described previously in Table 1. How Hi originates with player Uj, and is propagated 
to player U2. Similarly, player U2 originates flow Fl 2 , which is propagated to player 
Uj , and U3 originates flow Flj , which is propagated to player U4 . U* is shown as 
either sequentially broadcasting the downflow FL* to players Uj , tfe , and U3, or 
simultaneously multicasting the downflow FL* to players Uj , U 2 , and Uj . When a 
player Uj , U2 , and U5 receives the downflow FU and has generated the cryptographic 
key for a secure group session, the secure group 100 is established, and is ready for 
intragroup secure communication. 

Secure Group Deletion 

[0044] As may also be observed from Table 1 above, no term in any of die flows 
Fir ... FU is repeated, and each flow term P* is distinct This distinctiveness property 
increases die difficulty of "cracking" the secure group cryptographic key, as none of 
the data values are repeated. Note that for each of the players U* where k= 1...4, none 
of the flow terms pi vertically above player U* contains any exponentiation using xt- 

[0045] To delete aplayer U/, the downflow (in this example FU) has the term p; 
associated with die player U/ deleted Additionally, one of the remaining players is 
designated as the group controller (denoted "gc" in subscripts). After the downflow 
has been redacted of the one or more players leaving the group, the group controller 
selects a new random value and a new random value . Using the previously 

obtained random values ^ and used to enter the secure group, the resulting 
redacted flow is adjusted by raising each remaining term Py having exponent^ , to 
✓ V 

die power — — — . For each remaining term % not having an exponent term 

A>8C r ge 

containing^, (i.e. where j = gc) the redacted flow term is adjusted by being 
exponentiated to die power — . 
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[0046] The group controller may be chosen arbitrarily, but may also be phosen for 
reasons of security, computational power, logistical reasons, or convenience. 

[0047] Refer now to Table 2 below, where, as an example, player is leaving 
the original four player secure group session described above. The group controller, 
here taken as player , selects new values , and a new random value v\ , and 

adjusts the redacted downflow Fl V2 • The Fl V2 notation reflects a new flow including 
information based on the original downflow FL* with player U2 having been removed. 


Table 2. Four Original Players With Player Two Redacted 


FL* original 





FU-2 redacted 





FY 4-2 redacted 




gVPivjteatf* 

Player -> 

Ui 

u 2 

u 5 


Term -> 

Pi 

02 

05 



[0048] The deleted secure dynamic group that results is shown below, and 
denoted with primes to indicate the change in the group state. This updated state is 


' then broadcast to the remaining group players. 

[0049] Note that in this example, redaction is conceptually indicated by crossing 
out the cell containing the corresponding term in Table 2. While actual deletion of the 
corresponding term in the redacted outflow FI4.2 is one option for forming the 
redacted outflow Fl V2 » it may also be formed by simply outputting the other terms of 
the redacted outflow, and skipping ova: the term(s) corresponding to the player(s) 
being deleted. Restating this, in the skipping method, the term p 2 is never actually 
deleted, merely skipped over and not included in the downflow Fl In either event, 
Table 3 shows the resulting downflow FIV2 terms comprising the actual flow. 
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Table 3. Multicast Resulting From Four Original Players With Player Two Redacted 






Player' ~> 

U'i 


V'4 


I 

[0050] Refer now to Figure IB, which graphically indicates the removal of player 
U2 previously described in Tables 2 and 3 . hi this case, player U* has been designated 
as the group controller, and been renamed as Ugc . The adjusted downflow, having 
player U 2 redacted, is denoted FK^ , which is either sequentially or simultaneously 
broadcast to players U; and U3 . Once a player has received the adjusted downflow 
FYgc and has calculated a new cryptographic key, intragroup communications may be 
either commenced or resumed in the redacted group 130. 

[0051] Refer now to Figure 1C, which graphically indicates the removal of player 
U* In this case, player U3 has been designated as the group controller, and been 
renamed as Vgc . The adjusted downflow, having player XS 2 redacted, is again denoted 
FTge , which is either sequentially or simultaneously broadcast to players U; and U* . 
Once a player has received the adjusted downflow FK^ and has calculated a new 
cryptographic key, intragroup communications may be either commenced or resumed 
in the redacted group 170. The resulting group 170 is functionally equivalent to group 
130 described above in Figure IB, with the exception that the cryptographic key and 
downflow FVgc terms will be entirely different 

[005 2] In the example above, player U2 has been shown as actually removed In 
practice, the player(s) being removed need just be skipped over in the multicast 
updated flow. After a player determines that it is no longer a member of the secure 
group, it would preferably delete all references and data relating to the group. As 
implied, this process may be used for several players leaving a dynamic secure group 
simultaneously, with the proviso that at least one player remain in the dynamic secure 
group. Additionally, the removal steps may be combined with the joining operations 
described below. 
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Secure Group Refresh 

[0053] It may readily be seen that in the trivial case where no party is leaving, the 
previous steps of selecting a group controller, picking new random values for the 
group controller, and updating the downflow to the other group members has the 
effect of refreshing all downflow terms, and thereby refreshing the cryptographic key. 
Insofar as a hacker trying to break the cryptographic key, this has the effect of starting 
the attack all over, with no history whatsoever. This refresh technique may be useful 
if it appears that the secure group is undo: attack, or if there have been a number of 
unsuccessful joining events (joining is described below). 

Secure Group Joining 

[0054] Generally speaking, a set of J new players may j oin an existing plurality of 
players Uj ... U* to form an expanded plurality of players Uj ... 
U n ,U n +i ... U„+* ... U„+y, where 1 <> k £ / . In this process, one or more players 
are added to an ongoing group of players Ui ... U n , so that both the existing and new 
players may communicate among the expanded secure group. 

[0055] A method used to join new players U A+ jt, U n+ y, where 
1 £ k <* /to an existing group Uj ... U» of n players comprises choosing one of 
the existing group players to act as a group controller XJ gc . The group controller has 
available to it the initial group downflow Fl«, as do all players of the initial group. 

The group controller JJ gc selects anew value Z&> anew random value , and 

adjusts the initial downflow with the new X& and , valuels. As the initial 

downflow Fl n is adjusted, the cryptographic key term missing from the initial flow is 
added. The resulting adjusted flow is then sent to the first new player U B+ 7 , in the 
expanded secure group. 

[0056] For players U n +j through player U n+ /_i , each player \J n +k selects a random 
value Xn+k, and a random value v *+* . Player U n +k then sends an upflow signal FV n +k 
from player U ^ to player Un+t+i - The upflow signal FIV* comprises information 
based upon the preceding player Un+w upflow FT»+jt-j , the random value Xn+h and 
the random value Va+* . 
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[0057] The final player in the expanded group, U* + /, takes as an input the 
preceding player U„+/-j upflow FY n+J . 2 . Player U„+/ selects a random value Xn+j, and 
a random value v„ + y. Player XJ n +j then broadcasts a downflow signal FT n+ / to the 
remaining players (also known as a multicast) in the expanded plurality of players Uj, 
... Ufl, Un+j, 

tW, U„+7, where J <> k < /-l. Downflow signal FK^y comprises 

information based upon the preceding player XJ n +j-i upflow Fl'n+jj, the random value 
Xn+jy and the random value Vn+j . Broadcast from the final player U n+ j in the expanded 
group to itself if not necessary, but may also be done. 

[0058] Once a player XJj has received the downflow signal FV n +j , player JJj may 
calculate a cryptographic key for use in secure group communications based on the 
downflow signal FYn+j , and its previously selected random value # . 

[0059] In die description above, as with die initial setup of the secure group, die 
upflows may be unencrypted, encrypted by a first encryption method, or indeed 
encrypted with a different encryption method between each successive player Ur to 
Ujw . 

[0060] Similarly, the downflow may be encrypted with a second encryption 
method, the same first encryption method, or indeed no encryption whatsoever. At 
this time, the literature has shown proof of security where the upflows and downflow 
are protected by symmetric key encryption methods. Examples of such symmetric key 
encryption methods include the Diffie-Hellman method, elliptic curve-based Diffie- 
Hellman methods, etc. 

[006 1] The method described above for forming an expanded group is likely 
easier to understand with an example. Refer now to figures 2A, 2B, and Table 4, 
which illustrate the steps and flows involved in expanding a secure group of two 
players to a secure group of four players. 

[0062] In Figure 2A, we see an initial secure group 200 comprised of two players 
Uj and U 2 . In this very simpteexample FIj player Uj transmits an upflow Fly to player 
U2. Player U2 responds by in turn transmitting a downflow Ffe to player U;. After both 
players have calculated the cryptographic key, secure communications may 
commence between them. 
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[0063] Table 4 details the two flows between players U 2 and U 2 that comprise this 
initial secure group 200 with Flj and Fl 2 . In this example, die two flows comprise 
two exponentiated teams. As usual, the zeroth flow Flo is set to comprise g. 

[0064] Figure 2B indicates the addition of two more players to the secure group, 
forming a secure group 250 comprising four players: Uy , U 2 , IT* and U'* . All new 
components in this Figure are reflected with primed notation. Thus, we see that 
players U'j , U ' 4 , and flows FY 2 , Fl'j , and Fl j are new. In this example, player U 2 is 
designated as the group controller. 

[0065] Player U 2 forms the adjusted flow, denoted as "FT 2 Adjusted" comprising 
information based on a new random value / 2 , a new random value V 2 , and the 
previous downflow Ffe , denoted in Table 4 as "Fl 2 Initial". Player U 2 , acting as the 
group controller, then sends an upflow signal FT* to player U j. Player U'j then forms 
a new upflow, FY3 , comprising information based on a random value / 3 , a random 
value V 3 , and the previous upflow "FK 2 Adjusted" Player U'3 then sends upflow 
signal FTi to player . 

[0066] Player U'* then forms a new downflow, FY 4 , comprising information 
based on a random valued a random value V4 , and the previous upflow FY 3. 
Player U '4 then sends downflow signal FY 4 to players Uj , U 2 , andU'j . When 
. players Vj , U 2 , and U5 receive the downflow signal FY 4 , they may then use their 
private exponent values of % to calculate the cryptographic key. 


Table 4. Hows Associated With Two Players Joining An Initial Two Players 


Flo 

g 




Fl, 





Fl 2 Initial 


8"** 



FK 2 Adjusted 

8*** 

8*** 



FT 3 
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FV 4 





Term -> 

pi 

p2 

p* 

P< 


Dynamic Secure Groups 

[0067] It may be readily understood that groups may arbitrarily grow and shrink 
by sequential join and delete operations. Additionally, the join and delete operations 
may be simultaneously applied. This fluid nature of group size, with players coming 
and going, is why the term "dynamic" is used to describe such groups. 

Distinct Secure Groups With Common Players 

[0068] Refer now to Hgure 3, where players Uj ... form secure group 100. 
Another secure group 330 comprises players U; also in group 100, as well asLU ... 
Ux> . Additionally, another secure group 360 comprises players U* also in group 100, 
as well as Uy . . . Uz . Since player Uj is a member of both groups 100 and 330, and 
since player is a member of both groups 100 and 360, it is possible for all players 
Ua ... Ud , Ui ... U* and Uz ... Uz to all intercommunicate. Players U/ and U* would 
be required to translate from one secure group cryptographic key to the other, or in a 
sense act as a secure transmission router. In this manner, different secure groups may 
be joined by common players. Although not illustrated in Hgure 3, a player may be in 
an unlimited number of groups, and group interconnection topologies are not limited. 

Merflhi ff Of Distinct Secure Groups With Qmmnn Players 

[0069] Although not described in Rgure 3, some or all of the players Uj ...U*, 
Ua ... Uz> and Ux ... Uzmay be merged into either a separate or distinct union of the 
secure dynamic groups. These operations would be straightforward applications of the 
setup and/or join operations previously described above. 

[0070] Alternatively, itis possible for some or all players Ua ... Ud andUjf...Uz 
to be joined to initial group 100 formed initially by players U; ...U*, thereby all 
players may intercommunicate directly by merging into one supergroup comprising 
players Ua ... U/> , Uj ... U* and Ux ... Uz. This may be accomplished by 
straightforward application of the join operation described above. Alternatively, by 
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taking advantage of already formed groups 330 and 360, a combination of join and 
refresh operations on the groups 330 and 360 may more rapidly be used to form a 
supergroup comprised of Ua ... Ud , U/ ... and Ux ... Uz. 

Conclusion 

[0071] All publications, patents, and patent applications mentioned in this 
specification are herein incorporated by reference to the same extent as if each 
individual publication or patent application were each specifically and individually 
indicated to be incorporated by reference. 

[0072] The description given here, and best modes of operation of the invention, 
are not intended to limit the scope of the invention. Many modifications, alternative 
constructions, and equivalents may be employed without departing from the scope 
and spirit of the invention. 

[0073] Arithmetic is in a finite cyclic group G=<alpha> of prime order beta. This 
group is assumed to be given a generator <alpha>. We assume that G, alpha, and beta 
are well-known. The group G should be a group on which the computational Diffie- 
HeDman problem is hard. There are three possibilities for such group: G = Z*p where 
p is a large prime number, G is an appropriate subgroup of Z*p; and G is an 
appropriate elliptic curve group.. 

[0074] Encryption methods may be instantiated by either the AES symmetric 
cipher or the bit-wise Boolean XOR-ing of the password with a public key. 
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CLAIMS 

We claim: 

L Amethodforgenerathgacryptogra^^ 
method comprising: 

a) receiving, 

i) by a player V p in a dynamic group with a first player U / and a last player U*, 
where p>l > 

ii) a previous upflow Flp-i from a previous player \Jp-i in the dynamic group; 

b) player JJ P selecting a random value x p , and a random value v p ; and 

c) player Up sending an outflow F] p , comprising information based on the random 
value Xp , the random value v p , and the previous upflow Fl^/. 

2. The method for generating a cryptograpta^ 
claim 1, further comprising: 

a) for a first player in the dynamic group: 

i) player U p selecting a random value xi , and a random value vi ; 1 

ii) setting an initial upflow Flj comprising information based on the random 
value Xi,, the random value vi , and "g*\ a generator of a finite group where a 
computational solution to a Diffie-Hellman problem is hard. 

3. The method for generating a cryptographic key by a player in the dynamic group of 
claim 2, the sending step further comprising: 

a) when player Up is not the last player in the dynamic group, then: 

i) player Up sending an upflow Flp to a subsequent player Up+ 7 in the dynamic 
group, 

(1) the upflow Flp comprising the outflow Flp, 

b) when player Up is the last player in the dynamic group, then: 

i) player Up sending a downflow F\ n to all other players in the dynamic group, 
(1) die downflow FV, comprising the outflow Flp. 

4. The method for generating a crypto^ 
claim 3 comprising: 

a) forming a set of L players, Ul, leaving the dynamic group; 
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b) forming a set of R players, U* , remaining in the dynamic group; 

c) choosing a controller Uc from the remaining set of R players U*; 

d) inputting, by controller Uc , the downflow R„ , 

i) where the downflow Fl n has one entry associated with each player in the 
dynamic group; and ( 

e) sending a controller Uc downflow signal 1% , comprising: 

i) controller Uc sending the controller downflow f% based upon a random value 
xc , a random value Vc , and the downflow signal Fl n , 
(1) where each entry associated with the set of L players Ur leaving in the 
downflow signal Fl* has been deleted. 

5. The method for generating a cryptographic key by a player inf the dynamic group of 
claim 3 comprising: 

a) forming a set of J players to form a larger dynamic group U7, ... U^Uih-i, ...» 
Un+jb tywjr, where / k £ /; 

b) sending an upflow F^+jt from each player U w+ * > to player U n +k+i > where 
1 << k < 7-1, 

i) said upflow H based upon a random value Xn+i , a random value v n+ * , and 
the upflow Fl n+kri received fiom player IW. j ; and 

c) sending a downflow FU+/ by player U^/ , based upon a random value Xn+j , a 
random value v„+jr , and the upflow FI» +j m. 

6. Hie method for generating a cryptographic key by a player in the dynamic group of 
claim 3 comprising: 

a) choosing a refresher U r from the dynamic group Uj, ... U„; 

b) inputting, by refresher U n the downflow Fl n , 

i) where the downflow Fl„ has one entry associated with each player in the 
dynamic group; and 

c) sending, by refresher U n a refresher U r downflow Fl^ based upon a random value 
Xr y a random value v r , and the downflow signal Fl m 

7. The method for generating a cryptographic key of claim 1 wherein said upflows are 
encrypted with a first encryption method. 
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8. The method for generating a cryptographic key of claim 3 wherein said downflows 
are encrypted with a second encryption method 

9. ThemethodforgenerattagaCT^togr^phicfceyof claim 3 wherein said upflows and 
downflows are encrypted with a single encryption method. 

1 0. An apparatus for generating a cryptographic key of claim 1 . 

11. The method for generating a cryptographic key of claim 1, wherein said steps are 
recorded on a compute: readable medium. 

12. The method for generating a cryptographic key of claim 1 , wherein said upflows form 
a data structure transmitting through a computer readable meHiinn 

13. The method for generating a cryptographic key of claim 1 , wherein said steps are 
performed in a computer. 

14. The method for generating a cryptographic key of claim 1, wherein said upflows are 
signal transmissions. 

15. The method for generating a cryptographic key of claim 3, wherein said downflows 
are signal transmissions. 

16. An apparatus for connecting a player to a dynamic group, the apparatus comprising a 
computer generating the cryptographic key of claim 1. 

17. The method for generating a cryptographic key of claim 2 wherein said finite group is 
a finite cyclic group. 

18. The method for generating a cryptographic key of claim 1 , further comprising the step 
of: 

a) limiting the dynamic group to a size of three or more parties. 

1 9. A method for generating a cryptographic key by a player in a dynamic group, the 
method comprising: 

a) providing a candidate player U p wishing to be a party for a dynamic group with a 
first player Uj and a last player U m where p>l , 

b) means for connecting player XJ P to the dynamic group. 

20. The method for generating a cryptographic key by a player in a dynamic group of 
claim 19, the method further comprising: 

a) means for removing a set of L players, \J L , leaving the dynamic group. 
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21. Hie method for generating a cryptographic key by a player in a dynamic group of 
claim 19, the method further comprising: 

a) means for generating a downflow by the last playerU B in the dynamic group to 
the other players in die dynamic group. 

22. The method for generating a cryptographic key by a player in a dynamic group of 
claim 19, the method further comprising: 

a) means for joining a set of J player to the dynamic group. 
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FIG. 1A 
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FI6. 2A 
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